Beyond Regular
Model Checking
{
By Prof. Dana Fisman and Prof. Amir Pnueli
Presented by Yanir Damti
State explosion problem
Parameterized systems
Variables over infinite range
Symbolic model checking solves this problem
by representing the model implicitly
For example with BDDs
Background
Use {formal languages} for model
representation
One established method is using Regular
languages
Verification and formal
languages
Σ = 𝑥, ⊥
𝑆 = 𝑥 𝑛 ⊥𝑚 |𝑛, 𝑚 ≥ 0 ⊆ Σ ∗
Θ = ⊥𝑚 |𝑚 ≥ 0
𝑥
𝑅=
𝑥
∗
⊥ ⊥
𝑥 ⊥
∗
{
This is a counter system.
Sets of states are over
alphabet 𝚺, and the
transition relation 𝑅 is
over alphabet 𝚺 × 𝚺
𝜑 =“x is even”:
𝐿𝜑 = 𝑥𝑥 ∗ ⊥∗
Regular model checking Example
Σ – Alphabet
𝑅 – A language over the alphabet Σ × Σ
We denote a word in 𝑅:
𝑎𝑛
𝑎1 𝑎2
𝑤
⋯
≡
𝑏1 𝑏2
𝑏𝑛
𝑢
Projection:
𝑤
𝑅 ⇓1 = 𝑤
∈ 𝑅 𝑓𝑜𝑟 𝑠𝑜𝑚𝑒 𝑢
𝑢
L - A language over Σ
Lifting:
𝑤
∗
𝐿×Σ =
𝑤 ∈ 𝐿, 𝑢 ∈ Σ ∗ , 𝑤 = 𝑢
𝑢
Few Basic Definitions
𝑤 = 𝑎1 𝑎2 ⋯ 𝑎𝑛
𝑢 = 𝑏1 𝑏2 ⋯ 𝑏𝑛
Regular languages can be applied to several
types of parameterized problems.
Many interesting parameterized systems
cannot be represented by regular languages.
The Peterson mutual exclusion algorithm that
we’ll see later.
We’ll see three methods using non-regular
classes of languages.
Non-Regular model
checking
{
On one hand:
More expressive than
the regular languages
{
On the other hand:
Adequate for
symbolic model
checking
Aim: Find a class of
languages
Adequacy for
Symbolic Model
Checking
{
Size of an adequate class of
languages is bounded by a set of
requirements.
The following languages describe a model:
𝑀𝜑 - property to be verified
𝐴Θ - set of initial states
𝑅𝜌 - transition relation
Next, we see an algorithm using them.
General method for
symbolic model checking
Complementation
Lifting
𝑀0 ≔ 𝑀𝜑
For 𝑖 = 0,1, ⋯ repeat
Equivalence
𝑀𝑖+1 ≔
Σ∗ × 𝑀𝑖 ∩ 𝑅𝜌 ⇓1
Projection
until 𝑀𝑖+1 = 𝑀𝑖
return 𝑀𝑖 ∩ 𝐴Θ = ∅
Emptiness
Intersection
Procedure Backward MC
𝑀0 ≔ 𝑀𝜑
For 𝑖 = 0,1, ⋯ repeat
𝑀𝑖+1 ≔
until 𝑀𝑖+1 = 𝑀𝑖
return 𝑀𝑖 ∩ 𝐴Θ = ∅
Σ ∗ × 𝑀𝑖 ∩ 𝑅𝜌 ⇓1
φ – property to be verified, Θ – set of initial
states, 𝜌 – transition relation
ℳ, 𝒜, ℛ - classes of languages
𝑀𝜑 ∈ ℳ
𝐴Θ ∈ 𝒜
𝑅𝜌 ∈ ℛ
We say ℳ, 𝒜, ℛ are adequate for symbolic
model checking if the requirements to follow
hold.
More accurately…
𝑀0 ≔ 𝑀𝜑
For 𝑖 = 0,1, ⋯ repeat
𝑀𝑖+1 ≔
Σ ∗ × 𝑀𝑖 ∩ 𝑅𝜌 ⇓1
until 𝑀𝑖+1 = 𝑀𝑖
return 𝑀𝑖 ∩ 𝐴Θ = ∅
Requirements for Backward MC:
1.
ℳ, 𝒜, ℛ are adequate for representing 𝜑, Θ, 𝜌
respectively.
2.
ℳ is closed under complementation.
3.
ℳ is closed under lifting.
4.
ℳ is closed under intersection with ℛ.
5.
ℳ is closed under projection.
6.
ℳ is closed under intersection with 𝒜, and
emptiness is decidable for ℳ.
7.
Equivalence is decidable for two languages in ℳ.
More accurately…
Initial states –
non-regular,
the rest –
regulars
Define a new
non-regular
class of
languages
3 Methods
Private case
of 2
𝑁 : natural initially 𝑁 > 1
𝑦 : array 1. . 𝑁 of 0. . 𝑁 − 1 initially 𝑦 = 0
Number of processes
Array of priorities
𝑠 : array 1. . 𝑁 − 1 of 1. . 𝑁
Array of signatures
The Peterson Algorithm
for Mutual Exclusion
𝑁 : Number of processes
𝑦 : Priority array 1. . 𝑁
𝑠 : Signature array 1. . 𝑁 − 1
Process 𝒊 :
𝑡 : integer
ℓ0 : loop forever do
ℓ1 : Non-Critical
ℓ2 : for 𝑡 ≔ 1 to 𝑁 − 1 do
ℓ3 : 𝑦 𝑖 , 𝑠 𝑡 ≔ 𝑡, 𝑖
ℓ4 : await 𝑠 𝑡 ≠ 𝑖 ∨ ∀𝑗 ≠ 𝑖: 𝑦 𝑗 < 𝑦 𝑖
ℓ5 : Critical
ℓ6 : 𝑦 𝑖 ≔ 0
The Peterson Algorithm
for Mutual Exclusion
Initial states – non-regular,
the rest – regulars
{
Set of initial states
{
Property to be verified,
transition relation
Context-free
Regular
language
language
Main Principle
𝑀0 ≔ 𝑀𝜑
For 𝑖 = 0,1, ⋯ repeat
𝑀𝑖+1 ≔
Σ ∗ × 𝑀𝑖 ∩ 𝑅𝜌 ⇓1
until 𝑀𝑖+1 = 𝑀𝑖
return 𝑀𝑖 ∩ 𝐴Θ = ∅
We take 𝒜 to be the context-free languages
class
We take ℳ and ℛ to be the regular languages
class
The extra help from the context-free class will
make Peterson’s algorithm verification possible.
Main Principle
Σ = ⊕, |
⊕ ⋯⊕ | ⊕ ⋯⊕ | ⋯ | ⊕ ⋯⊕ | ⊕ ⋯⊕
0
1
𝑁−1
𝑁−1
Priority
Critical
(waiting processes)
(priority still 𝑁 − 1)
Representing Peterson’s
System
Transition relation:
𝑥 ⊕ 𝑦 ⟼ 𝑥 ⊕ 𝑦 𝑥 ∈⊕∗
𝑥| ⊕ |𝑦 ⟼ 𝑥|| ⊕ 𝑦 𝑦 ∈ |∗
𝑥Θ
⊕⊕
|⊕
𝑖 |𝑖 𝑥∶⊕
= |𝑦⊕⟼
𝑖>
1𝑦
𝑥⊕⟼⊕𝑥
𝑥 ⟼𝑥
Property’s negation: 𝜑 = ⊕ +|
∗
⊕⊕
Representing Peterson’s
System
𝑀0 ≔ 𝑀𝜑
For 𝑖 = 0,1, ⋯ repeat
𝑀𝑖+1 ≔
Σ ∗ × 𝑀𝑖 ∩ 𝑅𝜌 ⇓1
until 𝑀𝑖+1 = 𝑀𝑖
return 𝑀𝑖 ∩ 𝐴Θ = ∅
We defined initial states as a context-free
language.
We defined the transition relation and property
with regular languages.
⟹ We can model check with the Backward-MC
algorithm
Goal: Show Mutual
Exclusion
Define a new non regular
class of languages
A DPDA is a tuple Σ, 𝑆, 𝑠0 , Γ, ⊥, 𝜌, 𝐹
Σ – Input alphabet
𝑆 – Set of states
𝑠0 ∈ 𝑆 - Initial state
Γ – Stack alphabet
⊥∈ Γ – Stack bottom symbol
𝜌 – Transition relation: 𝑆 × Σ × Γ ⟶ 𝑆 × Γ ∗
𝐹 ⊆ 𝑆 – Set of accepting states
Reminder: Pushdown
Automata
The class of languages accepted by pushdown
automata is denoted:
ℒ𝐷𝑃𝐷𝐴
We also denote the regulars as:
ℒ𝐹𝐴
Pushdown Automata
Language Class
We define an operation:
∘∶ 1𝐷𝑃𝐷𝐴 × 𝐹𝐴 ⟶ 𝐷𝑃𝐷𝐴
DPDA with
one state
We take a specific 1DPDA: 𝑀
We look at the set of all DPDA that is a result of
the above operation on 𝑀 with some FA, 𝑅:
𝐷𝑃𝐷𝐴 − 𝑀 = 𝐴 𝐴 = 𝑀 ∘ 𝑅 𝑓𝑜𝑟 𝑅 ∈ 𝐹𝐴
Main Principle
𝐷𝑃𝐷𝐴 ≜ Σ, 𝑆, 𝑠0 , Γ, ⊥, 𝜌, 𝐹
Let 𝑀 be a 1DPDA:
𝑀 = Σ, 𝑞 , 𝑞, Γ, ⊥, Δ, ∅
Δ can be considered:
Δ ∶ 𝑆 × Σ × Γ ⟶ 𝑆 ×Γ ∗
Let 𝑅 be a DFA:
𝑅 = Σ × Γ, 𝑆, 𝑠0 , 𝛿, 𝐹
Cascade Product
𝑀 = Σ, Γ, ⊥, Δ
Δ ∶ Σ × Γ ⟶ Γ∗
𝑅 = Σ × Γ, 𝑆, 𝑠0 , 𝛿, 𝐹
𝛿 ∶𝑆× Σ×Γ ⟶𝑆
The cascade product 𝑀 ∘ 𝑅 is a DPDA:
𝐴 = Σ, 𝑆, 𝑠0 , Γ, ⊥, 𝜌, 𝐹
The transition relation:
𝜌 𝑠, 𝜎, 𝑧 = 𝛿 𝑠, 𝜎, 𝑧 , Δ 𝜎, 𝑧
Cascade Product
𝑀 = Σ, Γ, ⊥, Δ
Δ ∶ Σ × Γ ⟶ Γ∗
𝑅 = 𝑉 × Γ, 𝑆, 𝑠0 , 𝛿, 𝐹
𝛿 ∶𝑆× 𝑉×Γ ⟶𝑆
Let 𝑅 be over alphabet 𝑉 × Γ, for some 𝑉.
Let 𝜙 ∶ 𝑉 → Σ be a mapping from 𝑉 to Σ.
The cascade product with respect to 𝜙, 𝑀 ∘𝜙 𝑅 :
𝐴 = 𝑉, 𝑆, 𝑠0 , Γ, ⊥, 𝜌, 𝐹
𝜌 𝑠, 𝜎, 𝑧 = 𝛿 𝑠, 𝜎, 𝑧 , Δ 𝜙 𝜎 , 𝑧
Let’s complicate…
Let 𝑀 = Σ, Γ, ⊥, Δ be as before.
Let 𝐴 be a DPDA:
If 𝐴 = 𝑀 ∘𝜙 𝑅 for some 𝑅 and some 𝜙, then we
say 𝐴 is 𝑴 − 𝒄𝒐𝒏𝒔𝒊𝒔𝒕𝒆𝒏𝒕.
We define the class of languages accepted by
any 𝑀 − 𝑐𝑜𝑛𝑠𝑖𝑠𝑡𝑒𝑛𝑡 DPDA:
ℒ𝐷𝑃𝐷𝐴−𝑀
Define a Class of
Languages
𝑀0 ≔ 𝑀𝜑
For 𝑖 = 0,1, ⋯ repeat
𝑀𝑖+1 ≔
until 𝑀𝑖+1 = 𝑀𝑖
return 𝑀𝑖 ∩ 𝐴Θ = ∅
Σ ∗ × 𝑀𝑖 ∩ 𝑅𝜌 ⇓1
We will show effective closure under:
Complementation
Lifting
Intersection with a regular language
And we will also show:
Equivalence is effectively decidable
Emptiness is effectively decidable
The hard part: showing closure under projection.
ℒ𝐷𝑃𝐷𝐴−𝑀 is Adequate for
Symbolic Model Checking
Let 𝐴 = 𝑀 ∘𝜙 𝑅
For simplification assume:
Input alphabet of A is Σ × Σ
𝜙 ≜⇓2
We compute the 𝑀 − 𝑐𝑜𝑛𝑠𝑖𝑠𝑡𝑒𝑛𝑡 automaton of
the projection of ℒ 𝐴 on the first coordinate:
ℒ 𝐴 ⇓1
Computing Projection
Special Case of Cascade
Product
𝑀 = Σ, Γ, ⊥, Δ
Δ ∶ Σ × Γ ⟶ Γ∗
𝑅 = 𝑉 × Γ, 𝑆, 𝑠0 , 𝛿, 𝐹
𝛿 ∶𝑆× 𝑉×Γ ⟶𝑆
We consider the cascade product 𝑀 ∘𝜙 𝑅 where:
𝑅 does not look at the stack
To accepted a word, stack have to be emptied
Simple Product
Separate the DFA part of the representation so
that projection can be computed only using the
DFA.
If we can write 𝑀𝜑 = 𝐿 ∩ 𝑅0 where 𝑅0 is regular
and 𝐿 has certain properties, than we can use
the following algorithm for model checking.
Main Principle
Original algorithm:
𝑀0 ≔ 𝑀𝜑
For 𝑖 = 0,1, ⋯ repeat
𝑀𝑖+1 ≔
until 𝑀𝑖+1 = 𝑀𝑖
return 𝑀𝑖 ∩ 𝐴Θ = ∅
Σ ∗ × 𝑀𝑖 ∩ 𝑅𝜌 ⇓1
𝑀𝜑
𝑀0 ≔ 𝐿 ∩ 𝑅0
For 𝑖 = 0,1, ⋯ repeat
𝑅𝑖+1 ≔
Σ ∗ × 𝑅𝑖 ∩ 𝑅𝜌 ⇓1
𝑀𝑖+1 ≔ 𝑅𝑖+1 ∩ 𝐿
until 𝑀𝑖+1 = 𝑀𝑖
return 𝑀𝑖 ∩ 𝐴Θ = ∅
Modified Backward MC
𝑀𝜑
𝑀0 ≔ 𝐿 ∩ 𝑅0
For 𝑖 = 0,1, ⋯ repeat
𝑅𝑖+1 ≔ Σ ∗ × 𝑅𝑖 ∩ 𝑅𝜌 ⇓1
𝑀𝑖+1 ≔ 𝑅𝑖+1 ∩ 𝐿
until 𝑀𝑖+1 = 𝑀𝑖
return 𝑀𝑖 ∩ 𝐴Θ = ∅
The computation of 𝑀𝑖+1 in both versions is
identical. That is:
Original
algorithm
𝑀𝑖+1 = Σ ∗ × 𝑀𝑖 ∩ 𝑅𝜌 ⇓1
Induction
=
Σ ∗ × 𝑅𝑖 ∩ 𝐿
∩ 𝑅𝜌 ⇓1
𝑀𝑖
=
𝛴∗ × 𝑅𝑖 ∩ 𝑅𝜌 ⇓1 ∩ 𝐿
𝑅𝑖+1
The Main Claim
Definition: A language 𝐿 is left preserved by a
bi-language 𝑅 if:
𝐿 × Σ ∗ ∩ 𝑅 ⇓2 = 𝐿
If Θ = 𝐿 ∩ 𝑅0 and 𝐿 is left preserved by 𝑅, than
we can use the modified Forward MC
Preserved Language
𝜒 = 𝑤 ∶ # |, 𝑤 = # ⊕, 𝑤 > 1
Θ = ⊕𝑖 |𝑖 ∶ 𝑖 > 1
⟹ Θ = 𝜒 ∩ ⊕+ |+
𝜒 is left preserved by 𝑅
⟹ We can use the modified Forward MC
Peterson example
Claim: 𝑀𝑖+1 =
Σ ∗ × 𝑀𝑖 ∩ 𝑅𝜌 ⇓1 =
𝛴 ∗ × 𝑅𝑖 ∩ 𝑅𝜌 ⇓1 ∩ 𝐿
𝑅𝑖+1
Proof:
𝑀𝑖+1 =
=
Σ ∗ × 𝑀𝑖 ∩ 𝑅𝜌 ⇓1
Σ ∗ × 𝑅𝑖 ∩ 𝐿
∩ 𝑅𝜌 ⇓1
=
Σ ∗ × 𝑅𝑖 ∩ Σ ∗ × 𝐿
∩ 𝑅𝜌 ⇓1
=
Σ ∗ × 𝑅𝑖 ∩ 𝑅𝜌 ∩
Σ ∗ × 𝐿 ∩ 𝑅𝜌
=
Σ ∗ × 𝑅𝑖 ∩ 𝑅𝜌 ⇓1 ∩
=
Σ ∗ × 𝑅𝑖 ∩ 𝑅𝜌 ⇓1 ∩ 𝐿
⇓1
Σ ∗ × 𝐿 ∩ 𝑅𝜌 ⇓1
Problem in the Claim
Definition:
Fixing the Problem
© Copyright 2026 Paperzz